Defence against crypto-ransomware families using dynamic binary instrumentation and DLL injection Online publication date: Wed, 05-Jul-2023
by Sundaresan Ramachandran; Jeet Rami; Abhinav Shah; Kyounggon Kim; Digvijaysinh Mahendrasinh Rathod
International Journal of Electronic Security and Digital Forensics (IJESDF), Vol. 15, No. 4, 2023
Abstract: In recent years, ransomware incidents are increasingly predominant among the nation's state-sponsored hacker groups. The expertise and ease of deploying ransomware continue to evolve. It is imperative to have comprehensive methods to defend against sophisticated ransomware attacks. This study focused on a two-step approach to classify and prevent file encryption caused by cryptographic ransomware. In this paper, the ransomware families such as Ryuk, Thanos, Cerber, Jigsaw, Teslacrypt, Wannacry, Satana and Lockergoga image loading sequences (ILS) in memory were identified using the Intel PIN tool and developed a method for association mapping to classify crypto-ransomware families. Furthermore, the windows application programming interface (WinAPI) were used for hooking crypto-ransomware samples. It was observed that Kernel32.dll, ADVAPI32.dll, Cryptsp.dll, rsaenh.dll and ws2_32.dll as the most common dynamic linked libraries (DLLs) in the ransomware families. An approach to hook the CreateFileW function in the Kernel32.dll was applied as a proof of concept to prevent file encryption. The results of the present study demonstrated the successful application of DBI to identify and classify new crypto-ransomware variants from similar families and hook the WinAPI function of the Jigsaw, Zemblax and Cerber ransomware.
Existing subscribers:
Go to Inderscience Online Journals to access the Full Text of this article.
If you are not a subscriber and you just want to read the full contents of this article, buy online access here.Complimentary Subscribers, Editors or Members of the Editorial Board of the International Journal of Electronic Security and Digital Forensics (IJESDF):
Login with your Inderscience username and password:
Want to subscribe?
A subscription gives you complete access to all articles in the current issue, as well as to all articles in the previous three years (where applicable). See our Orders page to subscribe.
If you still need assistance, please email subs@inderscience.com